Japanese authorities have issued a warning regarding a sophisticated cyber-espionage effort orchestrated by a Chinese state-backed group known as “MirrorFace.” The National Police Agency and the National Center of Incident Readiness and Strategy for Cybersecurity have highlighted the relentless activities of MirrorFace aimed at stealing technology and national security secrets from Japanese organizations.
According to reports, the advanced persistent threat group MirrorFace has been actively operating since 2019, engaging in various tactics to infiltrate and compromise sensitive data. Japanese law enforcement has identified three main types of MirrorFace attacks conducted over the years, showcasing the group’s evolving strategies and targets.
The earliest tactic employed by MirrorFace involved an elaborate phishing campaign that spanned from 2019 to 2023. This campaign specifically targeted Japan’s think tanks, governments, and politicians, aiming to deliver malware and extract valuable information. In 2023, MirrorFace shifted its focus towards exploiting vulnerabilities in network devices across multiple sectors, including healthcare, manufacturing, information and communications, education, and aerospace. The group took advantage of vulnerabilities in devices such as Fortinet FortiOS, FortiProxy, Citrix ADC, and Citrix Gateway to further their illicit activities.
Another phishing campaign was initiated around June 2024, using basic tactics to target the media, think tanks, and politicians in Japan. Additionally, between February 2023 and October 2023, MirrorFace was observed exploiting an SQL injection in an external public server to gain unauthorized access to Japanese organizations, further underscoring the group’s persistent and aggressive nature.
The revelations surrounding MirrorFace’s cyber-espionage activities come in the wake of other high-profile Chinese-sponsored cyberattacks targeting US and global telecom companies, as well as the US Department of the Treasury. The escalating tensions in the geopolitical landscape have paved the way for increased APT activity by nation-state actors, with MirrorFace being identified as a suspected People’s Liberation Army cyber-warfare unit.
Mark Bowling, a former FBI special agent and current chief information security and risk officer at ExtraHop, emphasized MirrorFace’s utilization of well-crafted spear-phishing campaigns and weaponized code/logic to carry out their malicious agenda. Bowling warned of the growing threats posed by nation-state groups, particularly in light of ongoing geopolitical conflicts and digital warfare.
As the global cybersecurity landscape continues to face unprecedented challenges, experts like Bowling anticipate a surge in APT activity by malicious actors seeking to exploit vulnerabilities in critical infrastructure. The need for enhanced cybersecurity measures and vigilance against sophisticated cyber threats has never been more critical in safeguarding sensitive information and national security interests.